Re: [webauthn] Requirements for security of MDC, DPK and attestation (#1808) from Firstyear via GitHub on 2022-09-26 (public-webauthn@w3.org from September 2022)

From: Firstyear via GitHub <sysbot+gh@w3.org>
Date: Mon, 26 Sep 2022 02:11:38 +0000
To: public-webauthn@w3.org
Message-ID: <issue_comment.created-1257382933-1664158297-sysbot+gh@w3.org>

From the view of an RP that has strict certification requirements, I think DPK still isn't enough to make mobile devices trustworthy because they implicitly are binding a credential to a third party account. This makes them ineligible for common criteria authentication systems. I think that for all the effort going into DPK, it's likely we'll see RP's not use it due to it's complexity, and the nature of credentials being synced and third party controlled. So my opinion @keikoit is that you should avoid MDC in high assurance scenarios, in favour of FIDO2 certified keys with strict attestation checks around the AAGUIDS in use. It is far simpler to audit and manage from a risk perspective. 

-- 
GitHub Notification of comment by Firstyear
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1808#issuecomment-1257382933 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 26 September 2022 02:11:40 UTC